Rubber Ducky: Quaker attack

A couple of weeks ago, my friend, Diego Toledo, and I had the opportunity to play around with a Rubber Ducky, provided by our Infosec professor, Ken Bauer. The results were both fun and creepy at the same time.

1.1 A giant rubber duck.

What's a Rubber Ducky?

As you might have noticed, indeed, rather than talking about a rubber duck like the one above, I'm actually referring to a device that looks like a flash drive, but types like a keyboard. The hardshell cover of looks like a USB, but the inside hardware is quite different. The device uses the USB Human Interface Device Protocol (HID) to communicate with the computer and emulates a peripheral device. What's quite dangerous about the fact that it takes advantage of a vulnerability of the HID protocol, is that the protocol is a standard; it doesn't matter whether the OS is Windows, Mac or Linux, the Duck can get 'em all. At the back of the microchip, there is a slot for a Micro SD memory for storage, and here's where the magic happens: inside the SD, the Duck Scripts are loaded (already compiled) and they run when the USB is plugged.

1.2 Anatomy of the Rubber Ducky

How does it work?

In order to perform an attack with The Duck, there are several steps to follow. Probably, the most important of these steps is research. Social Engineering is fundamental in this step, because the commands you can performed and the time gap you have is limited. Understanding what's the victim routine, how is the configuration of the keyboard and what's the easiest way to perform certain tasks. Once you've got all of this, you can now move on to develop the script. Rubber Ducky uses a Ducky Script, which has a quite easy syntax and is later compiled with Java. Each action by itself is consider a Payload in the Rubber World vocabulary. Moreover, there are a lot of possibilities for attacks or even pranks; you can actually dig inside the official GitHub repository, which is full of examples of payloads. Once you've got the compiled file, you load it into the SD Card and that's it! Of course, if you actually want to perform an attack, you need to take yourself time to test the script. Usefully, the Duck is integrated with a replay button that re-runs the script, as well as a LED which indicates if there were any errors (red light) or if the script run perfectly (green light). In our particular case, Diego did an interesting attack which consisted of faking my sudo with an alias, and simulating it was working as the normal command should; in the background, it was listening my password every time I typed it and sent it to a server of his own. Of course, this could have been prevented if my firewall was turned on. Curiously, thanks to this experiment I noticed it was turned off by default as it was a new account on my Mac. That just added more content for my previous post about SUX (UX Security). We also performed a Rick Roll prank as well.

1.3 Example of Rick Roll payload in Ducky Script

How easy can you get one?

Actually, it's quite easy to get one. Our Ducky provider is Hack5 Gear shop, where a Rubber Ducky can cost around 45 USD. Moreover, executing an attack can quite easy, depending on what you want to get.

1.4 The Hack5 kit of the USB Rubber Ducky

How can I defend myself from it?

Although there are technical configurations to prevent some attacks (like turning on your Firewall), probably the best advice is following the golden rule of security: Trust no one. What I mean by this is rather than behaving like a paranoid all the time, is choosing wisely who to trust. The problem is not the capabilities of the Rubber Ducky, but leaving your laptop without lock or trusting any USB you find in a public place.

Other uses

Not every script for the Duck needs to be necessarily something harmful. The payloads in the repository can also be pranks, like faking the desktop with a screenshot and hiding folders, for example. Furthermore, IT people can optimize installing or fixing stuff by carefully writing down and storing useful scripts for that.